Threat actors are actively exploiting CVE-2024-11680, a critical vulnerability in ProjectSend, an open-source PHP-based file-sharing application. Public exploits and widespread disregard for patching have exposed thousands of servers to the risk of compromise. Of the approximately 4,000 publicly accessible ProjectSend servers, a staggering 99% remain unpatched, allowing attackers to install webshells, manipulate configurations, and gain unauthorized access.
| Product | ProjectSend |
| Date | 2024-11-27 15:01:03 |
| Information |
|
Technical Summary
CVE-2024-11680, classified with a 9.8 CVSS score, allows remote, unauthenticated attackers to exploit inadequate authorization checks in the options.php endpoint. This vulnerability enables privileged operations such as:
- Creation of fake user accounts.
- Activation of unauthorized user registration and automatic validation.
- Modification of configuration settings.
- Uploading malicious webshells or embedding JavaScript for further exploitation.
The vulnerability was disclosed by Synacktiv in early 2023 and affects versions from r1605 to at least r1270. This is despite the release of ProjectSend version r1720 in May 2023, which patches the flaw.
Exploitation began to increase significantly starting in September 2024, with attackers using public Metasploit and Nuclei scripts to:
- Enable user registration, gaining access after authentication.
- Deploy webshells to ensure persistence and carry out malicious activities.
Given the very low patch adoption rate, a rapid increase in attacks is expected. Understanding the threat vector exploited in this campaign helps contextualize the severity of the exposure.
Recommendations
Apply the patch immediately:
- Update all instances to ProjectSend version r1720 or later to mitigate the vulnerability.
Restrict access:
- Apply access controls, limiting server exposure to trusted networks.
- Deploy Web Application Firewalls (WAF) to filter malicious requests to
options.php.
Monitor your digital environment:
- Activate proactive external threat monitoring: a Threat Intelligence and Digital Risk Protection service allows you to detect signs of compromise and indicators of attack before they translate into actual incidents.
[Callforaction-THREAT-Footer]